Instead, both experts say, employees are more likely to be motivated into compliance if security managers can put risk into a context that relates to them directly. Most employees know that a security breach affects not just data, but also the company's brand and reputation. But Harkins notes that employees in some business units might not fully understand that they could play a role in a breach just by doing what they consider business as usual.
A marketing team, for instance, might want to launch a new interactive website ahead if its competitors, he explains. The website's content might seem harmless if, for example, it doesn't include intellectual property -- just a few interactive screens and videos. But what if a third-party provider that helped develop the site left vulnerabilities that allow a hacker to implant malware in one of the links on the site? Explaining such risks ahead of time, and in a way that's specific to the department's line of business, helps ensure the group will do what's necessary to mitigate damage, Harkins says.
Real-world examples can also drive the message home. When a data breach makes the news, use it as a teaching tool -- in training classes, via email or through video presentations. Discuss the likelihood of a similar breach occurring in your organization. Ask: How would a breach like this have affected our company? What people or business units should remain extra vigilant against a similar attack? What security measures do you already have in place to protect against such an attack?
2. Go Phishing, Internally
Another effective technique is to launch simulated phishing scams. Then see how many employees take the bait, and offer advice on avoiding similar real-world scams.
Royal Philips Electronics recently launched a pilot program of controlled phishing attacks, says Nick Mankovich, chief information security officer. Working with a professional phishing partner, whom Mankovich declined to name, Philips simulates an email scam that tries to get employees to click a link to a website and then enter their password and username. When an employee clicks on the link, a message pops up explaining his error and offering tips to avoid being scammed in the future.
"It's not about embarrassing or surveilling anyone. It's really about giving material that means something at the moment when they click on the [phony] link," Mankovich says.
Depending on the exact nature of the attack, tips might include questions like: Did the email come from a trusted source? Was there something misspelled or unusual about the link? Did you remember to hover the mouse over the link and check the bottom of the screen to see if the actual target URL matched the one in the body of the message?
Sign up for CIO Asia eNewsletters.